Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Secrets

Response

Credential-access response is evidence preservation first. We identify which secret class was accessed, which account performed the read, what systems or directory attributes were touched, and which credentials must be rotated.

High-value telemetry

EventMeaningFocus
4662Directory object accessLAPS, gMSA, DCSync, sensitive LDAP attribute reads when auditing is configured
5136Directory object modifiedDelegation or ACL changes that grant secret read rights
5140Network share accessedSYSVOL, NETLOGON, administrative shares
5145Detailed share accessSpecific SYSVOL or share file paths
4624Successful logonCredential validation and lateral movement
4625Failed logonPassword guessing or invalid reuse
4672Special privileges assignedAdmin logons and sensitive operations
4697Service installedRemote dumping through service creation
7045Service installedService creation on target host
7036Service state changeTemporary remote execution services

DCSync detection focuses on replication rights used by unexpected principals. Watch for Directory Replication Service operations from accounts that are not domain controllers, AD backup systems, or approved identity infrastructure.

LAPS and gMSA detection focuses on reads of sensitive attributes. In mature environments, enable SACLs on ms-Mcs-AdmPwd, Windows LAPS attributes, and msDS-ManagedPassword, then alert when unexpected users, workstations, or service accounts read them.

SYSVOL detection focuses on broad recursive reads, old GPP XML access, script access, and new file modification. Reading SYSVOL is normal; bulk collection and access to legacy preference XML is more interesting.

Triage commands

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4662,5136,5140,5145,4624,4625,4672,4697} |
  Select-Object TimeCreated,Id,ProviderName,Message

Review sensitive AD delegation

Get-ADObject -LDAPFilter '(objectClass=computer)' -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime |
  Where-Object { $_.'ms-Mcs-AdmPwd' } |
  Select-Object Name,DistinguishedName,ms-Mcs-AdmPwdExpirationTime

Get-ADObject -LDAPFilter '(objectClass=msDS-GroupManagedServiceAccount)' -Properties msDS-GroupMSAMembership |
  Select-Object Name,DistinguishedName,msDS-GroupMSAMembership

Review DCSync-style rights

Import-Module .\PowerView.ps1
Get-DomainObjectAcl -Identity "DC=ootw,DC=local" -ResolveGUIDs |
  Where-Object { $_.ObjectAceType -match "Replication-Get" -or $_.ActiveDirectoryRights -match "GenericAll|AllExtendedRights" }

Rotate after exposure

User password exposed        Rotate the user password and invalidate active sessions.
Service password exposed     Rotate the service password and update dependent services.
LAPS password exposed        Trigger LAPS rotation on the affected host.
gMSA material exposed        Rotate the gMSA password and review allowed retrievers.
krbtgt exposed               Perform the krbtgt double-rotation process.
Local admin hash exposed     Rotate local administrator passwords across affected hosts.
DPAPI secrets exposed        Rotate affected application credentials, browser secrets, and RDP credentials.

Hardening checklist

  • Remove legacy GPP cpassword XML from SYSVOL.
  • Limit LAPS read rights to operational groups that actually need host admin recovery.
  • Limit gMSA retrieval rights to the hosts that run the service.
  • Audit and alert on DCSync rights outside Domain Controllers and approved identity systems.
  • Block broad local admin reuse with unique local administrator passwords.
  • Remove passwords from description, info, scripts, registry preferences, and file shares.
  • Monitor credential validation from unusual hosts immediately after secret reads.